This happens because cf-agent keeps a log of all known SETUID/SETGID files it copies, and this is the first time it's seen ncf.conf as a SETGID file. As a matter of fact we contributed a patch to CFEngine to make these messages no longer "error" but "warning" instead (see https://github.com/cfengine/core/pull/2581) which will be available in the next patch release of CFEngine 3.7.

However, ncf.conf doesn't need to be SETGID. These lines in rudder-webapp's postinst script set SITGID a bit too liberally. We need SETGID on the /var/rudder/configuration-repository/{ncf,techniques} directories so that all files created there belong to the rudder group, so that ncf-api and others can read/write them. But we don't need it on files (the SETGID bit on files is only useful for executables, and there shouldn't be any there except for the ncf-api hooks).